User's Manual

ManualsBrandsAMX ManualsSwitchNXA-ENET24

231

232

233

234

235

236

237

238

239

240

CLI (Command Line Interface)

220

NXA-ENET24 - Software Management Guide

MAC ACL Commands (Cont.)

Command Function

mask

(MAC ACL)

This command defines a mask for

MAC ACLs. This mask defines

the fields to check in the packet

header.

Use the no form to remove a

mask.

Syntax:

[no] mask [pktformat]

{any | host | source-bitmask} {any | host | destination-

bitmask}

[vid [vid-bitmask]] [ethertype [ethertype-bitmask]]

• pktformat – Check the packet format field. (If this keyword must be used

in the mask, the packet format must be specified in ACL rule to match.)

• any – Any address will be matched.

• host – The address must be for a single node.

• source-bitmask – Source address of rule must match this bitmask.

• destination-bitmask – Destination address of rule must match this

bitmask.

• vid – Check the VLAN ID field.

• vid-bitmask – VLAN ID of rule must match this bitmask.

• ethertype – Check the Ethernet type field.

• ethertype-bitmask – Ethernet type of rule must match this bitmask.

Default Setting: None

Command Mode: MAC Mask

Command Usage: Up to seven masks can be assigned to an ingress or

egress ACL.

Packets crossing a port are checked against all the rules in the ACL until a

match is found. The order in which these packets are checked is deter-

mined by the mask, and not the order in which the ACL rules were entered.

First create the required ACLs and inbound or outbound masks before

mapping an ACL to an interface.

Example:

This example shows how to create an Ingress MAC ACL and bind it to a

port. You can then see that the order of the rules have been changed by

the mask.

Console(config)#access-list mac M4

Console(config-mac-acl)#permit any any

Console(config-mac-acl)#deny tagged-eth2 00-11-11-11-11-11

ff-ff-ff-ff-ff-ff any vid 3

Console(config-mac-acl)#end

Console#show access-list

MAC access-list M4:

permit any any

deny tagged-eth2 host 00-11-11-11-11-11 any vid 3

Console(config)#access-list mac mask-precedence in

Console(config-mac-mask-acl)#mask pktformat ff-ff-ff-ff-ff-ff

any vid

Console(config-mac-mask-acl)#exit

Console(config)#interface ethernet 1/12

Console(config-if)#mac access-group M4 in

Console(config-if)#end

Console#show access-list

MAC access-list M4:

deny tagged-eth2 host 00-11-11-11-11-11 any vid 3

permit any any

MAC ingress mask ACL:

mask pktformat host any vid

Console#